ferm: convert BASE_SSH_ALLOWED rules into puppet exported rules
right now a new node technically doesn't get the "jumphost" functionality ("has SSH access everywhere else") out of the box. for that to work, the network the box is on needs to be added to tor-puppet/modules/ferm/templates/defs.conf.erb
by hand. this is okay-ish for instances of IP ranges that already exist, but is a pain for new (say) ganeti nodes themselves which are usually not in those ranges (as opposed to their instances, using the vswitch range).
so those magic IP addresses should be turned into exported resources that follow our policy. maybe that exported resource should be part of a "jumphost" class that get included where we want, or just everywhere, but in any case, it should be moved into puppet to make installs more consistent and faster.